b"March 27, 2002\n\nCHARLES E. BRAVO\nSENIOR VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER\nROBERT L. OTTO\nVICE PRESIDENT, INFORMATION TECHNOLOGY\n\nSUBJECT: \t Audit Report - Delivery Unit Notification System Application Development\n           Review (Report Number EM-AR-02-006)\n\nThis report presents the results of our audit of the Delivery Unit Notification System\nApplication Development (Project Number 01BS009IS000). This audit was a self\xc2\xad\ninitiated review that was included in our fiscal year 2002 Audit Workload Plan.\n\nThe audit disclosed Postal Service program management did not: (1) follow an\nestablished systems development life cycle methodology during testing, (2) produce key\ndeliverables, and (3) always test critical security features. As a result, the Postal\nService assumed an unnecessarily high risk that the Delivery Unit Notification System\nwould not be developed according to requirements, and that the information security\nassurance requirements would not be independently validated and tested.\nManagement agreed with our recommendations and has initiatives in progress,\ncompleted, or planned addressing the issues in this report. Management\xe2\x80\x99s comments\nand our evaluation of these comments are included in this report.\n\nWe appreciate the cooperation and courtesies provided by your staff during the\nreview. If you have any questions or need additional information, please contact\nRobert J. Batta, director, eCommerce and Marketing, at (703) 248-2100, or me at\n(703) 248-2300.\n\n\n\nRonald D. Merryman\nActing Assistant Inspector General\n for eBusiness\n\nAttachment\n\ncc: \t James W. Buie\n      Wayne H. Orbke\n      James L. Golden\n      Susan M. Duchek\n\x0cDelivery Unit Notification System Application                             EM-AR-02-006\n Development Review\n\n\n\n                                    TABLE OF CONTENTS\n Executive Summary\n                                                            i\n\n Part I\n\n Introduction\n                                                                 1\n\n     Background                                                                1\n\n     Objectives, Scope, and Methodology                                        2\n\n     Prior Audit Coverage                                                      2\n\n\n Part II\n\n Audit Results                                                                 4\n\n\n      Systems Development Life Cycle Methodology Not Always Followed\n\n       During System Testing                                                   4\n\n\n           Testing of Security Features Had Not Occurred                       4\n\n           Recommendations                                                     5\n\n           Management\xe2\x80\x99s Comments                                               5\n\n           Evaluation of Management\xe2\x80\x99s Comments                                 5\n\n\n           Unit Test Results and Critical Requirements Were Not Always\n\n            Documented, Retained, or Approved                                  6\n\n           Recommendations                                                     7\n\n           Management\xe2\x80\x99s Comments                                               7\n\n           Evaluation of Management\xe2\x80\x99s Comments                                 7\n\n\n           Test Environment Different From Production Environment              8\n\n           Recommendations                                                     9\n\n           Management\xe2\x80\x99s Comments                                               9\n\n           Evaluation of Management\xe2\x80\x99s Comments                                 9\n\n\n           Independent Quality Assurance Representative Not Assigned           9\n\n           Recommendation                                                     10\n\n           Management\xe2\x80\x99s Comments                                              10\n\n           Evaluation of Management\xe2\x80\x99s Comments                                10\n\n\n      A Key Deliverable Was Not Produced                                      11\n\n      Recommendations                                                         11\n\n      Management\xe2\x80\x99s Comments                                                   11\n\n      Evaluation of Management\xe2\x80\x99s Comments                                     11\n\n\n\n\n\n                                           Restricted Information\n\x0cDelivery Unit Notification System Application                       EM-AR-02-006\n Development Review\n\n\n     Information Security Assurance Validation Not Accomplished\n        12\n\n       Recommendations\n                                                 12\n\n        Management\xe2\x80\x99s Comments\n                                          12\n\n        Evaluation of Management\xe2\x80\x99s Comments\n                            13\n\n\n      Other Observations\n                                               14\n\n      Recommendation\n                                                   14\n\n      Management\xe2\x80\x99s Comments\n                                            14\n\n      Evaluation of Management\xe2\x80\x99s Comments                               15\n\n\n Appendix A. Glossary                                                   16\n\n\n Appendix B. Management\xe2\x80\x99s Comments                                      18\n\n\n\n\n\n                                           Restricted Information\n\x0cDelivery Unit Notification System Application                                                      EM-AR-02-006\n Development Review\n\n\n                                      EXECUTIVE SUMMARY\n    Introduction \t                There are five major stages in the systems development life\n                                  cycle. Each stage has several process points that need to\n                                  be accomplished to develop a successful project. This\n                                  report presents our audit of the testing and information\n                                  security process points of the Delivery Unit Notification\n                                  System. This is the second report in a series of Office of\n                                  Inspector General (OIG) self-initiated reviews of Postal\n                                  Service initiatives in the early phases of development. By\n                                  early involvement in the process, the OIG can make\n                                  recommendations to resolve issues in the early stages of\n                                  development prior to system implementation. Studies\n                                  indicated that it is up to 100 times more costly to make\n                                  changes after a system is placed into production.\n\n                                  Our audit objectives were to determine if the Postal Service:\n                                  (1) followed sound systems development life cycle\n                                  processes, (2) produced key deliverables as identified by\n                                  Postal Service management and industry standards, and\n                                  (3) considered appropriate application security features\n                                  during the testing and information security process points of\n                                  the development of the Delivery Unit Notification System.\n\n    Results in Brief\t             Our review of the Delivery Unit Notification System found\n                                  that Postal Service program management did not: (1) follow\n                                  an established systems development life cycle1\n                                  methodology during testing, (2) produce key deliverables,\n                                  and (3) always test critical security features.\n\n                                  These problems occurred because program management\n                                  did not: (1) always follow existing Postal Service policies,\n                                  procedures, and guidelines, (2) adequately define\n                                  responsibilities of the development team members, and\n                                  (3) designate members of the information security\n                                  assurance team and provide necessary training on the new\n                                  information security assurance process.\n\n                                  As a result, the Postal Service assumed an unnecessarily\n                                  high risk that the Delivery Unit Notification System would not\n                                  be developed according to requirements, and that the\n                                  information security assurance requirements would not be\n                                  independently validated and tested.\n\n\n1\n A systems development life cycle is a logical process by which systems analysts, software engineers, programmers,\nand end-users build information systems and computer applications to solve business problems and needs.\n\n                                                        i\n                                             Restricted Information\n\x0cDelivery Unit Notification System Application                                     EM-AR-02-006\n Development Review\n\n\n\n\n Summary of                      The deployment of the Delivery Unit Notification System\n Recommendations                 should be delayed until complete testing can be\n                                 accomplished and desired results obtained.\n\n                                 We recommended management prepare the business\n                                 needs statement, business needs document, and finalize\n                                 the requirements document. We also recommended before\n                                 testing occurs, all requirements are addressed and traced to\n                                 test scenarios and plans, and test constraints identified.\n                                 Management should also designate and train members of\n                                 the information security assurance team.\n\n Summary of                      Management agreed with our findings and\n Management\xe2\x80\x99s                    recommendations. Corrective actions have been\n Comments                        implemented for five of the twelve recommendations.\n                                 Actions are under way to resolve the remaining items during\n                                 fiscal year 2002. Management\xe2\x80\x99s comments, in their entirety,\n                                 are included in Appendix B of this report.\n\n Overall Evaluation of           Management\xe2\x80\x99s comments are responsive to our findings\n Management\xe2\x80\x99s                    and recommendations. We agree with the actions\n Comments                        management has taken to date and the planned corrective\n                                 action for each recommendation.\n\n\n\n\n                                                      ii\n                                           Restricted Information\n\x0cDelivery Unit Notification System Application                                      EM-AR-02-006\n Development Review\n\n\n                                     INTRODUCTION\n Background\t                     The Postal Service is developing the Delivery Unit\n                                 Notification System to enable customers to make hold mail\n                                 and redelivery service(s) requests. In addition, the system\n                                 will include a 360-degree feedback process to track\n                                 performance and ensure service requests are fulfilled as\n                                 required by the customers.\n\n                                 The Delivery Unit Notification System will use and build on\n                                 the Call Center Management application, which already\n                                 contains much of the infrastructure needed to support the\n                                 system. The Call Center Management infrastructure is used\n                                 by call center agents and responsible delivery units to\n                                 handle three million hold mail and redelivery calls annually.\n                                 A customer interface will be developed to capture customer\n                                 requests for hold mail and redelivery service(s) and\n                                 requests will be stored in the Call Center Management\n                                 database.\n\n                                 We reviewed the design phase of the Delivery Unit\n                                 Notification System during the testing and information\n                                 security assurance processes. At the time of our review,\n                                 the Delivery Unit Notification System was scheduled for\n                                 implementation in November 2001.\n\n\n\n\n                                 During the testing process, the development team\n                                 determines whether a software product meets its stated\n                                 functional, technological, and security requirements. The\n                                 information security assurance process requires an\n\n                                                  1\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                                           EM-AR-02-006\n Development Review\n\n\n                                    independent team to validate that security policies have\n                                    been incorporated into the system. Technical terms used in\n                                    this report are described in Appendix A.\n\n    Objectives, Scope,              Our audit objectives were to determine if the Postal Service:\n    and Methodology                 (1) followed sound systems development life cycle\n                                    processes, (2) produced key deliverables as identified by\n                                    Postal Service management and industry standards, and\n                                    (3) considered appropriate application security features\n                                    during the testing and information security process points of\n                                    the development of the Delivery Unit Notification System.\n\n                                    Specifically, to accomplish these objectives, we reviewed\n                                    test scripts and plans, design and application requirement\n                                    documents, and information security assurance documents.\n\n                                    We conducted audit fieldwork at Postal Service\n                                    Headquarters and at the Integrated Business Systems\n                                    Solutions Center in Raleigh, North Carolina, from\n                                    September 2001 through October 2001. In addition, we\n                                    conducted interviews, and reviewed applicable laws and\n                                    regulations, as well as industry standards and best\n                                    practices.2 This audit was conducted from September 2001\n                                    through March 2002, in accordance with generally accepted\n                                    government auditing standards, and included tests of\n                                    internal controls as were considered necessary under the\n                                    circumstances. We discussed our conclusions and\n                                    observations with appropriate management officials and\n                                    included their comments, where appropriate. We did not\n                                    rely on computer-generated data to accomplish our\n                                    objectives.\n\n    Prior Audit Coverage            Our September 29, 2000, report, State of Computer\n                                    Security in the Postal Service (Report Number IS-AR-00-\n                                    004) cited that: (1) many Postal Service managers were not\n                                    fully aware of their responsibilities for computer security\n                                    and, viewed computer security as the sole responsibility of\n                                    the Information Technology office, (2) a lack of security\n                                    awareness has resulted in less than sufficient emphasis\n\n\n\n2\n  Criteria cited in the report included Carnegie Mellon\xe2\x80\x99s Capability Maturity Model, Postal Service\xe2\x80\x99s Software\nProcess Standards and Procedures, National Institute of Standards Special Publication 800-18, and\nInformation System Audit and Control Association\xe2\x80\x99s Control Objectives for Information Technology.\n\n\n\n\n                                                      2\n                                           Restricted Information\n\x0cDelivery Unit Notification System Application                                     EM-AR-02-006\n Development Review\n\n\n\n                                 placed on planning and budgeting for computer security,\n                                 (3) policies and procedures for computer security were\n                                 nonexistent, outdated, or oftentimes not implemented or\n                                 followed, and (4) the National Information Systems Security\n                                 organization did not have computer security enforcement\n                                 authority, and was understaffed, under funded, and not\n                                 visible postal-wide. Management agreed with Office of\n                                 Inspector General\xe2\x80\x99s (OIG) recommendations and was\n                                 working on corrective actions.\n\n\n\n\n                                                  3\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                                 EM-AR-02-006\n Development Review\n\n\n                                         AUDIT RESULTS\n    Systems                         Program management did not always follow an established\n    Development Life                systems development life cycle methodology during testing\n    Cycle Methodology               of the Delivery Unit Notification System. Specifically:\n    Not Always Followed             (1) system testing did not include tests of all critical security\n    During System                   features, (2) all end user requirements were not\n    Testing                         incorporated during the development effort, (3) test results\n                                    were not always documented, retained or approved, (4) the\n                                    test environment did not mirror the production environment,\n                                    and (5) roles and responsibilities were not always assigned.\n                                    As a result, program management could not ensure that the\n                                    system met functional requirements or satisfied end users\xe2\x80\x99\n                                    requirements.\n\n                                    Testing determines whether a software product meets its\n                                    stated requirements. There are four levels of testing, unit\n                                    tests ensure each module works correctly, ?integration tests\n                                    examine the development of each subsystem, system tests\n                                    examine the entire system, including subsystem interfaces,\n                                    system documentation, and overall functionality, to validate\n                                    the design requirements have been met. Customer\n                                    acceptance testing performed jointly with the end user,\n                                    ensure that the system meets the end user\xe2\x80\x99s requirements.\n\n                                    We reviewed the Delivery Unit Notification System during\n                                    the design phase testing and information security assurance\n                                    processes. At the time of our review, the Delivery Unit\n                                    Notification System was scheduled for implementation in\n                                    November 2001. Corrective actions for the following\n                                    recommendations should occur before the system is\n                                    implemented.\n\n    Testing of Security             Program management did not test all critical security\n    Features Had Not                features. Specifically, security features such as audit trails,\n    Occurred                        encryption, and Secure Socket Layer,3 while specified in the\n                                    integration approach and software/hardware architecture\n                                    documents, were not included in the testing requirements.\n\n                                    The Postal Service Software Process Standards and\n                                    Procedures guideline recommended the testing of all\n                                    program, data, security functions/features, and technology\n                                    requirements. In addition, other Postal Service system\n                                    development guidelines recommended that a master test\n3\n    Secure Socket Layer is industry standard technology used to protect web communications.\n\n\n\n                                                      4\n                                           Restricted Information\n\x0cDelivery Unit Notification System Application                                        EM-AR-02-006\n Development Review\n\n\n                                plan be developed. This plan would identify tests to be\n                                performed, test environment, hardware and software testing\n                                requirements, and test roles and responsibilities.\n\n                                Testing of all critical security features did not occur because\n                                program management did not map existing test plans to the\n                                system requirements document, Postal Service policies and\n                                procedures, and applicable laws to ensure all requirements\n                                were tested. Further, the Postal Service had not developed\n                                a comprehensive testing approach that would have\n                                identified all tests to be performed.\n\n                                As a result, there is an increased risk the Delivery Unit\n                                Notification System would be implemented with serious\n                                security weaknesses. For example, without proper\n                                encryption, unauthorized individuals may view Privacy Act\n                                protected information.\n\n Recommendation                 We recommend the senior vice president, chief technology\n                                officer:\n\n                                    1.     Identify and list all critical security features by\n                                           mapping existing test plans to system requirements\n                                           documents, security requirements, as well as\n                                           Section 508 of the Rehabilitation Act, Privacy Act of\n                                           1974, and Postal Service policies and procedures.\n\n Management\xe2\x80\x99s                   Management agreed with our recommendation and will take\n Comments                       corrective action by mapping existing test plans as\n                                recommended by April 5, 2002.\n\n Recommendation                     2.     Develop a comprehensive testing approach that\n                                           would include tests of all security features.\n\n Management\xe2\x80\x99s                   Management agreed with our recommendation and will take\n Comments                       corrective action by performing comprehensive testing for\n                                the Delivery Unit Notification System which will include\n                                testing of all security features. This will be completed by\n                                April 5, 2002.\n\n\n\n\n                                                  5\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                       EM-AR-02-006\n Development Review\n\n\n\n\n Recommendation\t                We recommend the senior vice president, chief technology\n                                officer:\n\n                                    3.\t    Modify test plans to include tests of all security\n                                           features, perform these tests, and take appropriate\n                                           action(s) as required.\n\n Management\xe2\x80\x99s                   Management agreed with our recommendation and has\n Comments                       taken corrective action by updating the security test plan to\n                                include tests for all security features. Management will take\n                                additional corrective action by resolving issues or problems\n                                identified in test results, and incorporate those results into\n                                the security plan and risk assessment documents by\n                                April 19, 2002.\n\n Evaluation of                  Management\xe2\x80\x99s actions taken to date and planned actions\n Management\xe2\x80\x99s                   are responsive to recommendations 1 through 3.\n Comments\n\n Unit Test Results and          Program management did not always ensure that test\n Critical Requirements          results were documented, retained, or approved.\n Were Not Always                Specifically, unit test results were not documented or\n Documented,                    retained. Further, unit and integration test results were not\n Retained, or Approved          formally approved prior to moving the system into the next\n                                phase of testing. In addition, while the development team\n                                requested an approved business needs document, business\n                                needs statement and requirements document, these\n                                documents were in draft and had not been formally\n                                approved by the Integrated Business Systems Solution\n                                Center group, who had responsibility for developing the\n                                system.\n\n                                The Postal Service Software Process Standards and\n                                Procedures guideline recommend that unit test results\n                                should be documented in preparation for inspection,\n                                resolution of issues resulting from inspection, and base\n                                lining. In addition, industry best practices recommend that\n                                management define and implement procedures to ensure\n                                that operations and user management formally accepted the\n                                test results. Further, industry best practices recommend\n                                that business needs document, business needs statement,\n                                and the requirements document are formally approved by\n                                the developer, customer, and end user.\n\n\n\n\n                                                  6\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                       EM-AR-02-006\n Development Review\n\n\n\n                                Test results were not always documented and approved\n                                because program management had not followed Postal\n                                Service guidelines and industry best practices prior to\n                                moving forward with the project.\n\n                                Therefore, the Postal Service has no assurance testing was\n                                accomplished and that deficiencies noted during testing\n                                were corrected. Additionally, development team members\n                                were unable to benchmark new test results against old test\n                                results. Further, without an approved business needs\n                                statement, business needs document, and requirements\n                                document; the Postal Service cannot ensure the system will\n                                meet business needs.\n\n Recommendation                 We recommend the senior vice president, chief technology\n                                officer ensure:\n\n                                    4.     Test results are documented, retained, and\n                                           approved prior to moving into the next phase of\n                                           development.\n\n Management\xe2\x80\x99s                   Management agreed with the recommendation the\n Comments                       Delivery Unit Notification System project followed Postal\n                                Service Software Process Standards and Procedures\n                                guidelines regarding documentation of test results. The\n                                results of unit and integration test completed as of the\n                                September 17, 2001, audit date were documented, retained\n                                and provided to the OIG on September 20, 2001. Additional\n                                testing including system, security, and Customer\n                                Acceptance Testing will be performed by April 25, 2002.\n                                These test results will be documented, retained, and\n                                approved prior to moving into the implementation phase.\n\n Evaluation of                  Management comments are responsive to the\n Management\xe2\x80\x99s                   recommendation that the Software Process Standards and\n Comments                       Procedures guidelines were followed for integration tests\n                                and these results were provided to the OIG. No unit test\n                                results were provided to the OIG during the audit fieldwork.\n                                Unit test results were provided to the OIG in March 2002.\n                                We agree with the subsequent corrective actions the Postal\n                                Service has taken to conduct additional testing and the plan\n                                to conduct, document, retain, and approve additional tests in\n                                this area.\n\n\n\n\n                                                  7\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                                        EM-AR-02-006\n Development Review\n\n\n\n\n    Recommendation \t                 We recommend the senior vice president, chief technology\n                                     officer ensure:\n\n                                         5.\t     The business needs statement, business needs\n                                                 document, and requirements document are\n                                                 approved and provided to the development team.\n\n    Management\xe2\x80\x99s \t                   Management agreed with our recommendation and took\n    Comments\t                        corrective action on September 21, 2001, by ensuring that\n                                     the business needs statement, business needs document,\n                                     and requirements document were signed off by the portfolio\n                                     manager and later provided to the development team.\n\n    Evaluation of                    In response to our audit, the development team did receive\n    Management\xe2\x80\x99s                     the proper documents and this action was responsive to our\n    Comments                         recommendation. At the time of our fieldwork the\n                                     development team had not received copies of the signed\n                                     business needs statement, business needs document, and\n                                     requirements document. We recommend closure of this\n                                     recommendation.\n\n    Test Environment                 Delivery Unit Notification System program management did\n    Different From                   not ensure that the test environment mirrored the production\n    Production                       environment. For example, hardware components were not\n    Environment                      in place for the testing environment to mirror the production\n                                     environment.\n\n                                     Based on industry best practices and National Institute of\n                                     Standards and Technology Special Publication 800-18,\n                                     hardware and software unit, string, and customer\n                                     acceptance tests should be conducted in a test environment\n                                     that matches the production environment.\n\n                                     The test environment did not mirror the production\n                                     environment4 because Postal Service management had not\n                                     provided funding for a production environment. Without a\n                                     production environment, the development team could not\n                                     define hardware and interface requirements for the system.\n\n                                     As a result, the Postal Service had no assurance that the\n                                     tested system will operate the same in the production\n                                     environment.\n\n\n4\n    The production environment is the staging area or environment for the actual system operation.\n\n                                                       8\n                                            Restricted Information\n\x0cDelivery Unit Notification System Application                                                       EM-AR-02-006\n Development Review\n\n\n\n\n    Recommendation\t               We recommend the senior vice president, chief technology\n                                  officer:\n\n                                       6.\t    Define hardware and interface requirements for the\n                                              Delivery Unit Notification System once a production\n                                              environment has been established.\n\n    Management\xe2\x80\x99s \t                Management agreed with our recommendation and took\n    Comments\t                     corrective action on January 29, 2002, by completing an\n                                  architectural design document, which included hardware and\n                                  software interface requirements.\n\n    Evaluation of                 Management\xe2\x80\x99s actions taken are responsive to our\n    Management\xe2\x80\x99s                  recommendation. We recommend closure of this\n    Comments                      recommendation.\n\n    Recommendation                     7.     Perform system testing in an environment, which\n                                              mirrors the production environment.\n\n    Management\xe2\x80\x99s                  Management agreed with our recommendation; however,\n    Comments                      due to a freeze on capital spending, they were unable\n                                  to purchase hardware to replicate the production\n                                  environment for testing. Hosting of the Delivery Unit\n                                  Notification System will now be provided in-house and the\n                                  Postal Service will temporarily assign hardware for testing\n                                  purpose by April 12, 2002.\n\n    Evaluation of                 Management\xe2\x80\x99s planned actions are responsive to our\n    Management\xe2\x80\x99s                  recommendation.\n    Comments\n\n    Independent Quality           Program management did not appoint an independent\n    Assurance                     software quality assurance representative5 for the Delivery\n    Representative Not            Unit Notification System development effort.\n    Assigned\n\n\n\n\n5\n The Software Quality Assurance representative independently facilitates the development of defect-free\nproducts that meet all requirements and are delivered on time at the lowest possible cost.\n\n\n\n                                                    9\n                                         Restricted Information\n\x0cDelivery Unit Notification System Application                                      EM-AR-02-006\n Development Review\n\n\n\n                                The Postal Service Software Process Standards and\n                                Procedures guidelines recommend that at project initiation a\n                                software quality assurance representative should be\n                                appointed to each project.\n\n                                A software quality assurance representative was not\n                                appointed because program management did not follow\n                                existing Postal Service guidelines.\n\n                                As a result, program management cannot ensure that the\n                                development process was appropriately monitored,\n                                established standards were followed, and system\n                                inadequacies were brought to management\xe2\x80\x99s attention.\n\n Recommendation                 We recommend the senior vice president, chief technology\n                                officer:\n\n                                    8.     Ensure a software quality assurance representative\n                                           is appointed to the Delivery Unit Notification\n                                           System project.\n\n Management\xe2\x80\x99s                   Management agreed with our recommendation and took\n Comments                       corrective action on December 14, 2001, by appointing and\n                                independent software quality assurance representative to\n                                the Delivery Unit Notification System.\n\n Evaluation of                  Management\xe2\x80\x99s actions taken are responsive to our\n Management\xe2\x80\x99s                   recommendation. We recommend closure of this\n Comments                       recommendation.\n\n\n\n\n                                                 10\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                         EM-AR-02-006\n Development Review\n\n\n\n\n A Key Deliverable              Program management did not ensure a key deliverable, that\n Was Not Produced               is a risk assessment, was produced and reviewed. The\n                                Software Process Standards and Procedures guideline state\n                                the project manager, with assistance from the business\n                                systems manager and project analyst, develop a risk\n                                assessment that identifies risks that may impact the cost,\n                                resources, schedule, and technical aspects of the project.\n\n                                The information security assurance process required the\n                                completion of a risk assessment for all sensitive, critical, or\n                                business-controlled information resources. The risk\n                                assessment identifies the assets at risk, weaknesses,\n                                vulnerabilities, and possible safeguards. Additional risks\n                                may be identified as development progresses through the\n                                various systems development life cycle stages.\n\n                                Program management did not perform a risk assessment\n                                because they believed that completion of the risk\n                                assessment requirement under the information security\n                                assurance process occurred after testing. However, the\n                                information security assurance process requires risk\n                                assessments to be performed as the project progresses\n                                through the systems development life cycle. Without a risk\n                                assessment, certain risks inherent in the system may be\n                                overlooked and compromised.\n\n Recommendation\t                We recommend the senior vice president, chief technology\n                                officer:\n\n                                    9.\t    Complete a risk assessment for the Delivery Unit\n                                           Notification System project, which identifies risks\n                                           that may impact the cost, resources, schedule,\n                                           security, and technical aspects of the project.\n\n Management\xe2\x80\x99s                   Management agreed with our recommendation and\n Comments                       completed a security risk assessment for the Delivery Unit\n                                Notification System. In addition, the Postal Service will take\n                                corrective action by April 12, 2002, by documenting any\n                                remaining risks and properly managing and mitigating those\n                                risks following management guidelines.\n\n Evaluation of                  Management\xe2\x80\x99s planned and implemented actions are\n Management\xe2\x80\x99s                   responsive to our recommendation.\n Comments\n\n\n                                                 11\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                        EM-AR-02-006\n Development Review\n\n\n\n\n Information Security           During the information security assurance process, the\n Assurance Validation           Information Systems security officer did not perform\n Not Accomplished               independent validation of security requirements.\n\n                                The new information security assurance process replaced\n                                the prior security certification and accreditation review\n                                process. The process requires the Certification team\n                                prepare the information security assurance package that\n                                includes system documentation and test results. In addition,\n                                the information security assurance policy requires an\n                                independent team that includes the Information Systems\n                                security officer, to review the information security assurance\n                                package, perform independent validation of assertions, and\n                                independently test the system. Upon completion of the\n                                review, the Information Systems security officer reviews the\n                                information security assurance package, prepares an\n                                evaluation report, and forwards any findings to the\n                                accreditor.\n\n                                Independent validation of security requirements was not\n                                performed because program management had not yet\n                                designated members of the information security assurance\n                                team and provided them with the necessary training on the\n                                new information security assurance process.\n\n                                Independent validation is a critical control to safeguard the\n                                integrity, confidentiality, and availability of Postal Service\n                                information, and to protect the interests of the Postal\n                                Service, its personnel, business partners, and the general\n                                public.\n\n Recommendation                 We recommend the senior vice president, chief technology\n                                officer:\n\n                                    10.    Ensure independent testing and validation of\n                                           security requirements are performed during the\n                                           information security assurance process.\n\n Management\xe2\x80\x99s                   Management agreed with our recommendation and will take\n Comments                       corrective action by having an independent test group\n                                perform independent testing and validation of the security\n                                requirements by April 19, 2002.\n\n\n\n\n                                                 12\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                   EM-AR-02-006\n Development Review\n\n\n\n Evaluation of                  Management\xe2\x80\x99s planned actions are responsive to our \n\n Management\xe2\x80\x99s                   recommendation.\n\n Comments\n\n\n Recommendation\t                We recommend the senior vice president, chief technology\n                                officer:\n\n                                    11.\t Designate information security assurance team\n                                         members and provide them the necessary training.\n\n Management\xe2\x80\x99s \t                 Management agreed with our recommendation and took\n Comments\t                      corrective action on November 16, 2001, by designating an\n                                information security assurance team and having those\n                                members receive training.\n\n Evaluation of                  Management\xe2\x80\x99s actions taken are responsive to our\n Management\xe2\x80\x99s                   recommendation. We recommend closure of this\n Comments                       recommendation.\n\n\n\n\n                                                 13\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                                    EM-AR-02-006\n Development Review\n\n\n\n\n    Other Observations           Although not part of the testing or information security\n                                 assurance processes, the Delivery Unit Notification System\n                                 development team used software that had not been\n                                 approved by the Infrastructure Tool Kit Requirement\n                                 Committee.6 Specifically, the team used the web-based\n                                 tools Netscape IPlanet, and Unibar.\n\n                                 The Infrastructure Tool Kit provides guidelines on tools that\n                                 support the development, deployment, and management of\n                                 distributed applications. It includes a list of tools approved\n                                 for use by the Postal Service information technology\n                                 architecture and engineering group. All changes to existing\n                                 web-based tools names or versions must be approved by\n                                 the Infrastructure Tool Kit Requirement Committee.\n\n                                 Program management did not use approved software\n                                 because it did not allow for approval of the web-based tools\n                                 prior to use. The tools selected were common industry tools\n                                 that program management expected to be approved.\n\n                                 As a result, the Delivery Unit Notification System\n                                 development team utilized software products that may not\n                                 receive continued support from the vendor. In addition, if\n                                 the Infrastructure Tool Requirement Committee does not\n                                 approve the software, the application cannot be hosted or\n                                 used on the Postal Service infrastructure and would have to\n                                 be redeveloped.\n\n    Recommendation\t              We recommend the senior vice president, chief technology\n                                 officer:\n\n                                     12.\t Ensure that all software used in the development\n                                          effort is approved by the Infrastructure Tool Kit\n                                          Requirements Committee prior to use.\n\n    Management\xe2\x80\x99s                 Management agreed with our recommendation and took\n    Comments                     corrective action on October 31, 2001, by having all software\n                                 used in the development effort approved by the\n                                 Infrastructure Tool Kit Requirements Committee.\n\n\n\n6\n The Infrastructure Tool Kit Requirement Committee is composed of information technology and customer\norganization technical personnel.\n\n\n\n                                                  14\n                                        Restricted Information\n\x0c   Delivery Unit Notification System Application                               EM-AR-02-006\n    Development Review\n\n\n\n\nEvaluation of               Management\xe2\x80\x99s actions taken are responsive to our\nManagement\xe2\x80\x99s                recommendation. We recommend closure of this\nComments                    recommendation.\n\n\n\n\n                                                    15\n                                          Restricted Information\n\x0cDelivery Unit Notification System Application                                         EM-AR-02-006\n Development Review\n\n\n                             APPENDIX A. GLOSSARY\n\nTerm                        Description\n\nBusiness Needs              Business needs document is a joint client and developer activity.\nDocument                    Users and clients define in nontechnical, business terms what is\n                            needed, how the new system is supposed to behave, and how\n                            existing manual and automated systems currently perform.\n\nBusiness Needs              Business needs statement is a brief statement prepared jointly by\nStatement                   the Business Systems manager, client, and end-users to identify\n                            the high-level business needs that the system will satisfy.\n\nCertification and           The certification and accreditation team is responsible for working\nAccreditation Team          with the customer of the system and developers to ensure that\n                            certain basic security controls are incorporated into all sensitive\n                            systems during the design and development stages.\n\nDesign and                  The design and application requirements document is used to\nApplication                 verify that requirements and design interfaces have been\nRequirements                developed correctly.\nDocument\n\nEncryption                  Encryption is the conversion of data into a form, called ciphertext\n                            that cannot be easily understood.\n\nInformation Security        The information security assurance process is the Postal Service\nAssurance Process           process for protecting the confidentiality, integrity, and availability\n                            of its information resources.\n\nInformation Systems         Information systems security officer performs the security\nSecurity Officer            certification process of the system and chairs the security\n                            certification committee.\n\nInfrastructure Tool         The infrastructure tool kit requirement committee is composed of\nKit Requirement             information technology and customer organization technical\nCommittee                   personnel.\n\nProduction                  The production environment is the staging area or environment for\nEnvironment                 the actual system operation.\n\nRisk Assessment             An analysis that examines an organization's information resources,\n                            its existing controls, and its remaining organization and computer\n                            system vulnerabilities.\n\n\n\n\n                                                 16\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                                     EM-AR-02-006\n Development Review\n\n\n                  APPENDIX A. GLOSSARY (CONTINUED)\nSecure Socket Layer\t Secure socket layer is industry standard technology used to protect\n                     web communications.\n\nSoftware Quality            The software quality assurance representative independently\nAssurance                   facilitates the development of defect free products that meet all\nRepresentative              requirements and are delivered on time at the lowest possible cost.\n\nSystems                     A systems development life cycle is a logical process by which\nDevelopment Life            systems analysts, software engineers, programmers, and end\nCycle                       users build information systems and computer applications to solve\n                            business problems and needs.\n\nTest Environment\t           Test environment is utilized by the analysts and programmers to\n                            develop and maintain programs.\n\nTest Plans\t                 Test plans design and document a set of system tests to ensure\n                            that the application system delivered meets all of the requirements\n                            identified in the requirements document.\n\nUnit Test\t                  Testing determines whether a software product meets its stated\n                            requirements. Unit tests make sure each load module works\n                            correctly.\n\n\n\n\n                                                 17\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                   EM-AR-02-006\n Development Review\n\n\n              APPENDIX. B. MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                 18\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                   EM-AR-02-006\n Development Review\n\n\n\n\n                                                 19\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                   EM-AR-02-006\n Development Review\n\n\n\n\n                                                 20\n                                       Restricted Information\n\x0cDelivery Unit Notification System Application                   EM-AR-02-006\n Development Review\n\n\n\n\n                                                 21\n                                       Restricted Information\n\x0c"